Remarks 



The above Amendments and these Remarks are in reply to the Final Office Action 

mailed December 28, 2007. 

I. Summary of Examiner's Rejections 

Prior to the Final Office Action mailed December 28, 2007, Claims 1-9 and 21-31 were 
pending in the application. In the Final Office Action, Claims 1-9 and 21-31 were rejected under 
35 U.S.C. 112, first paragraph, as failing to comply with the written description requirement. 
Claims 1-2, 5, 7-8, and 21-31 were rejected under 35 U.S.C. 103(a) as obvious over Brownlie et 
al. (U.S. Patent No. 6,202,157, hereinafter Brownlie) in view of Donohue (U.S. Patent No. 
6,199,204, hereinafter Donohue), and further in view of Wu et al. (U.S. Patent No. 5,774,551, 
hereinafter Wu) or Al-Salqan et al. (U.S. Patent 6,687,823, hereinafter Al-Salqan). Claim 6 was 
rejected under 35 U.S.C. 103(a) as being unpatentable over Brownlie in view of Donohue and 
Wu or alternatively Al-Salqan and further in view of Wang (U.S. Patent No. 5,956,521, 
hereinafter Wang). Claims 3-4 and 9 were rejected under 35 U.S.C. 103(a) as being 
unpatentable over Brownlie in view of Donohue and Wu or alternatively Al-Salqan, and further in 
view of Trcka et al. (U.S. Publication No. 2001/0039579, hereinafter Trcka) and Microsoft Press 
(Computer Dictionary, 3"^ Edition, ISBN:157231446XA, 1997, hereinfafter Microsoft). 

II. Summary of Applicant's Amendment 

The present Response amends Claims 1, 7, 21, 26, 30 and 31, leaving for the 
Examiner's present consideration Claims 1-9 and 21-31. Reconsideration of the Application, as 
amended, is respectfully requested. Applicant respectfully reserves the right to prosecute any 
originally presented or canceled claims in a continuing or future application. 

III. Claim Reiections under 35 U.S.C. § 112 

In the Office Action, Claims 1-9 and 21-31 were rejected under 35 U.S.C. 112, first 
paragraph, as failing to comply with the written description requirement. More specifically, the 
limitation "each separate application in the system being guarded by a different copy of the 
access authorization service such that separate applications in the system do not share 
authorization services" was rejected as not having been disclosed in the original specification. 

Applicant respectfully disagrees. As previously amended in the Amendment filed 
December 3, 2007, the Specification specifically discloses that "each application being 
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protected is associated witli its own copy of the access authorization service" and "the 
applications do not share authorization services" (Specification, paragraph [0087]). Applicant 
has amended Claims 1, 7, 21, 26, 30 and 31 so as to more closely follow the language used 
therein. Accordingly, as amended. Claims 1-9 and 21-31 are fully supported by the Specification 
as originally filed and reconsideration thereof is respectfully requested. 

IV. Claim Reiections under 35 U.S.C. g 103(a) 

In the Final Office Action, Claims 1-2, 5, 7-8, and 21-31 were rejected under 35 U.S.C. 
103(a) as obvious over Brownlie et al. (U.S. Patent No. 6,202,157, hereinafter Brownlie) in view 
of Donohue (U.S. Patent No. 6,199,204, hereinafter Donohue), and further in view of Wu et al. 
(U.S. Patent No. 5,774,551, hereinafter Wu) or Al-Salqan et al. (U.S. Patent 6,687,823, 
hereinafter Al-Salqan). Claim 6 was rejected under 35 U.S.C. 103(a) as being unpatentable 
over Brownlie in view of Donohue and Wu or alternatively Al-Salqan and further in view of Wang 
(U.S. Patent No. 5,956,521, hereinafter Wang). Claims 3-4 and 9 were rejected under 35 
U.S.C. 103(a) as being unpatentable over Brownlie in view of Donohue and Wu or alternatively 
Al-Salqan, and further in view of Trcka et al. (U.S. Publication No. 2001/0039579, hereinafter 
Trcka) and Microsoft Press (Computer Dictionary, 3"^ Edition, ISBN:157231446XA, 1997, 
hereinfafter Microsoft). 

Al-Salqan et al. reference does not qualify as Prior Art 

Al-Salqan et al. (U.S. Patent No. 6,687,823, hereafter Al-Salqan) was used in 
combination with several other references to reject the claims of the present application. The 
effective prior art date of Al-Salqan appears to be May 5. 1999 . However, the present 

Application is a continuation of U.S. Application No. 09/248,788 (now U.S. Patent 6,158,010), 
which was filed on February 12. 1999 . Claims 1-9 and 21-31 are fully supported by the parent 
Application 09/248,788. Accordingly, because the priority date of the present Application pre- 
dates the effective prior art date of the Al-Salqan reference, Applicant respectfully submits that 
the Al-Salqan reference is not proper prior art against the present Application and requests 
withdrawal of any rejections based thereon. 

In addition, the present Application also claims priority to U.S. Provisional Application 
No. 60/105,963, which was filed October 28, 1998, and which also pre-dates the effective prior 
art date of the Al-Salqan reference. Accordingly, withdrawal of these rejections is requested. 
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Claim 1 



Claim 1 lias been amended for purposes of clarity. As amended, Claim 1 currently 
defines: 

1. A system for maintaining security in a distributed computing environment, 
comprising: 

(1) a policy manager, coupled to a network, including 

a database for storing a security policy including a plurality of rules that control 

user access to applications; and 
a policy distributor, coupled to the database, for distributing the plurality of rules 

through the network; 

(2) a security engine located on a client coupled to the network and stored on a 

computer readable storage medium, said security engine storing a set of 
the plurality of rules constituting a local customized security policy 
received through the network from the policy distributor, and enforcing the 
local customized security policy with respect to an application at the client 
wherein enforcing the local customized security policy includes evaluating 
an access request by matching it to one or more of the plurality of rules of 
the local customized security policy and granting or denying access to the 
application based on the evaluation; and 

(3) the application, coupled to the security engine, wherein the security engine 

guards access to the particular application to which said security engine 
is coupled, each separate application in the system being guarded by its 
own different copy of access authorization service such that separate 
applications do not share authorization services; and 
wherein the security policy is updated by recording a series of incremental 
changes to the security policy, determining which of said incremental 
changes are applicable to said security engine, computing an 
accumulated delta that reflects the series of incremental changes 
applicable to said security engine and sending the accumulated delta to 
the security engine from the policy manager such that the security engine 
uses the accumulated delta to update the local customized security 
policy. 

As amended, Claim 1 defines an application that is coupled to a security engine such 
that the security engine guards access to the particular application to which it is coupled. In this 
way, each separate application in the system is guarded by its own different copy of the 
authorization service based on a centrally distributed security policy. Since the applications do 
not share authorization services, the access requests can be evaluated based on different 
custom policies for each application. At the same time, these policies are distributed from a 
central source, which allows the management of all these custom policies and authorization 
services. 

Applicants respectfully submit that these features are not disclosed nor rendered 
obvious by Brownlie in combination with Donohue and further in combination with Wu (the cited 

references). 
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In the Office Action, Wu was cited as disclosing "a system with modular (pluggable) 
design wherein a different copy of access authorization service guards separate applications 
(Fig. 1, 3 and 5 and associated text)" (Office Action page 7). Applicant respectfully disagrees. 
Wu describes a pluggable system that includes multiple authentication modules, however this is 
different from the features defined in Claim 1. Authentication modules described in Wu are 
merely a way for a user to log into the system using different methods. For example, when the 
user attempts to log in, the system determines which authentication service to use and then 
uses that particular type of service to log in the user (Wu, col. 6, lines 35-50). There is no 
disclosure in Wu of each application controlling transactional access to its various components 
by using its own different copy of the authorization service so that applications do not share the 
authorization services, as defined in Claim 1. This feature of Claim 1 allows access to each 
separate application to be guarded by a different security engine based on a centrally 
distributed but locally customized security policy. No such functionality is described in Wu. 

Another point of distinction is that in Claim 1, different access authorization services are 
defined, not authentication of users, as disclosed in Wu. This is significant because access 
authorization services control transactional access to applications (e.g. for each access request, 
transaction, etc.), and not merely allow a user authenticate himself (log in) to the system as 
described in Wu. Furthermore, there is no disclosure in Wu of separate applications having their 
own copies of authorization services, such that they do not share the services. Thus, a different 
authorization service at each application that controls access to that application is not the same 
as multiple authentication modules described in Wu. 

Furthermore, in the Office Action, Donohue was cited as disclosing the feature of 
updating changes of Claim 1 . Applicant respectfully disagrees. Donohue teaches the distribution 
of software updates and patches. More specifically, Donohue provides an updater agent which 
is associated with a computer program and which accesses relevant network locations and 
downloads any available updates to that program (Donohue, Abstract). This is different from the 
features of Claim 1, as amended. For example, Donohue does not disclose any recording or 
keeping track of incremental changes to a security policy. More specifically, there is no 
disclosure of determining which of those incremental changes are relevant to each security 
engine and computing an accumulated delta that reflects only those changes that are applicable 
to each different security engine, as defined in Claim 1. 

In view of the above comments. Applicant respectfully submits that Claim 1, as 
amended, is neither anticipated by, nor obvious in view of the cited references, and 
reconsideration thereof is respectfully requested. 

Attorney Docket No.: BEAS-01453US3 SRM/JXG 11 
M:\JGeringson\wp\BEAS\1453\us3\Resp to 12-28-07 Final OA.doc 



Claims 7, 21,26, 30 and 31 

Claims 7, 21, 26, 30 and 31, while independently patentable, recite limitations that 
similarly to Claim 1 are not disclosed nor rendered obvious by the cited references. 
Reconsideration thereof is respectfully requested. 

Claims 2-6, 8-9, 22-25 and 27-29 

Claims 2-6, 8-9, 22-25 and 27-29 are not addressed separately, but it is respectfully 
submitted that these claims are allowable as depending from an allowable independent claim, 
and further in view of the comments provided above. 

It is also submitted that these claims also add their own limitations which render them 
patentable in their own right. Applicant respectfully reserves the right to argue these limitations 
should it become necessary in the future. 

V. Conclusion 

In view of the above amendments and remarks, it is respectfully submitted that all of the 
claims now pending in the subject patent application should be allowable, and reconsideration 
thereof is respectfully requested. The Examiner is respectfully requested to telephone the 
undersigned if he can assist in any way in expediting issuance of a patent. 

The Commissioner is authorized to charge any underpayment or credit any overpayment 
to Deposit Account No. 06-1325 for any matter in connection with this response, including any 
fee for extension of time, which may be required. 

Respectfully submitted. 

Date: March 28. 2008 By: /Justas Gerinason/ 

Justas Geringson 
Reg. No. 57,033 

Customer No.: 23910 
FLIESLER MEYER LLP 
650 California Street, 14* Floor 
San Francisco, California 94108 
Telephone: (415) 362-3800 
Fax: (415)362-2928 
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